Hello, I've been working with the upstream project and while doing some NTS testing, I had to generate and install a SELinux policy to allow ntp communications using NTS. allow ntpd_t ntske_port_t:tcp_socket name_connect; Reproducible: Always Steps to Reproduce: 1. Install system with Selinux in "enforcing" 2. Install ntpsec RPM 3. Configure ntp.conf to use NTS-enabled server 4. Restart ntpd. Actual Results: 4. Restart ntpd. View in log "Permission Denied" error Expected Results: 4. Restart ntpd. View successful ntp connection using NTS.
The policy is included in the selinux-policy package.
The following SELinux denial appeared in enforcing mode: ---- type=PROCTITLE msg=audit(10/30/2023 04:46:52.693:699) : proctitle=/usr/sbin/ntpd -g -N -u ntp:ntp type=SOCKADDR msg=audit(10/30/2023 04:46:52.693:699) : saddr={ saddr_fam=inet6 laddr=2001:67c:2550:d::7 lport=4460 } type=SYSCALL msg=audit(10/30/2023 04:46:52.693:699) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7fdc94003570 a2=0x1c a3=0x4000 items=0 ppid=1 pid=4646 auid=unset uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=ntp fsgid=ntp tty=(none) ses=unset comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0 key=(null) type=AVC msg=audit(10/30/2023 04:46:52.693:699) : avc: denied { name_connect } for pid=4646 comm=ntpd dest=4460 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntske_port_t:s0 tclass=tcp_socket permissive=0 ---- # rpm -qa selinux\* ntp\* | sort ntpsec-1.2.2a-1.fc39.x86_64 selinux-policy-40.4-1.fc40.noarch selinux-policy-targeted-40.4-1.fc40.noarch #
The following SELinux denial appeared in permissive mode: ---- type=PROCTITLE msg=audit(10/30/2023 04:48:27.329:704) : proctitle=/usr/sbin/ntpd -g -N -u ntp:ntp type=SOCKADDR msg=audit(10/30/2023 04:48:27.329:704) : saddr={ saddr_fam=inet6 laddr=2001:67c:2550:d::8 lport=4460 } type=SYSCALL msg=audit(10/30/2023 04:48:27.329:704) : arch=x86_64 syscall=connect success=no exit=EINPROGRESS(Operation now in progress) a0=0x4 a1=0x7fb5440030f0 a2=0x1c a3=0x4000 items=0 ppid=1 pid=4677 auid=unset uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=ntp fsgid=ntp tty=(none) ses=unset comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0 key=(null) type=AVC msg=audit(10/30/2023 04:48:27.329:704) : avc: denied { name_connect } for pid=4677 comm=ntpd dest=4460 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntske_port_t:s0 tclass=tcp_socket permissive=1 ---- # grep nts /etc/ntp.conf server nts.netnod.se:4460 nts iburst # Anycast # To reproduce the problem, I chose one of the servers listed here and restarted the ntpd service: * https://gist.github.com/jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d
Test coverage for this BZ exists in a form of PR: * https://src.fedoraproject.org/tests/selinux/pull-request/445 The PR waits for a review.
PR submitted to selinux-policy: https://github.com/fedora-selinux/selinux-policy/pull/1918
When the EPEL repository is enabled on RHEL-9, the same problem can be reproduced there.
Yes, I was doing the testing on RHEL 9.2. Will the fix end up getting backported to EL9-next?
Here is the Jira ticket that tracks the problem/fix for RHEL-9: * https://issues.redhat.com/browse/RHEL-15085
FEDORA-2023-aeccf7b447 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-aeccf7b447
FEDORA-2023-aeccf7b447 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-aeccf7b447` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-aeccf7b447 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-aeccf7b447 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.